Privacy Diagnostic Tool (PDT) Workbook

PrivacyDiagnosticTool (PDT)

version 1.0

Workbook

Information and PrivacyCommissioner/Ontario


2 Bloor Street East, Suite 1400Toronto, Ontario M4W 1A8

416-326-33331-800-387-0073

Fax: 416-325-9195TTY (Teletypewriter): 416-325-7539

Website: www.ipc.on.ca

This workbook and the Privacy Diagnostic Tool are available on the Website of the Office of the Information and Privacy Commissioner/Ontario.

GUARDENT Inc.75 Third Avenue

Waltham, MA 02451781-577-6500

Fax: 781-577-6600Website: www.guardent.com

PricewaterhouseCoopersGlobal Risk Management Solutions

145 King Street WestToronto, Ontario M5H 1V8

416-814-5729Fax: 416-814-5777

E-mail: [email protected]

ForewordThere is no question that a growing number of businesses are interested in learning more about privacyand how to protect their customers’ personal information. Surveys show this to be the case, and thegrowing number of speaking requests that my office has been receiving from the private sector clearlysupports that fact. Over the past year in particular, I have found that after every speech or presentationI deliver, business people have approached me to ask: Where do I start?, How do I begin protecting mycustomers’ information? and What tools are available to assist me? Unfortunately, there have beenvery few places for me to point them to, and few helpful tools to offer them.

Faced with this frustration, it struck me that what was needed was a simple, plain language tool, basedon questions and answers for businesses looking for help and direction in implementing privacy at aconcrete level. Those businesses need assistance, not only in determining what their state of privacyreadiness is, but also what steps to take to identify and address what is missing.

This prompted me to do two things: first, to attempt to fill the void by developing some kind of privacydiagnostic tool and second, to seek out help from those familiar with the business world, in order toensure that the tool would be both relevant and responsive. I approached Guardent andPricewaterhouseCoopers to participate in a project with my office. To my delight, both graciouslyagreed to work with us in developing the Privacy Diagnostic Tool (PDT) that you now have before you.Their business expertise was invaluable and, coupled with the privacy expertise of my office, lead tothe development of this new, easy-to-use tool for businesses.

I would like to extend my sincere thanks to Guardent and PricewaterhouseCoopers for working withus to produce what I believe is an excellent tool. I trust that you will find this tool valuable in meetingthe challenges of implementing privacy in a rapidly changing, information-driven economy, and wishyou every success.

Ann Cavoukian, Ph.D.Commissioner

Table of Contents

Introduction ................................................................................................................... 1

Principle 1 — Accountability .......................................................................................... 5

Principle 2 — Identifying Purposes ................................................................................. 8

Principle 3 — Consent .................................................................................................. 11

Principle 4 — Limiting Collection................................................................................. 14

Principle 5 — Limiting Use, Disclosure, and Retention ................................................. 17

Principle 6 — Accuracy................................................................................................. 21

Principle 7 — Safeguards .............................................................................................. 23

Principle 8 — Openness ............................................................................................... 27

Principle 9 — Individual Access .................................................................................... 30

Principle 10 — Challenging Compliance ....................................................................... 33

Glossary of Terms ........................................................................................................ 35

Related Privacy Links ................................................................................................... 39

1

IntroductionIn January 2000, the Wall Street Journal published a survey that showed privacy as the number oneconcern for North Americans for the 21st century. More recently, on March 5, 2001, ForresterResearch completed a study of privacy issues for business. They stated that, “Anyone today who thinksthe privacy issue has peaked is greatly mistaken … we are in the early stages of a sweeping change inattitudes that will fuel political battles and put once-routine business practices under the microscope.”

At the same time, advances in information technology and the Internet have changed the way thatcompanies do business. Over the past decade, we have seen unparalleled growth in the ability oforganizations to collect, compile, analyze, and disseminate personal information, not to mention theunprecedented volume of personal information that organizations routinely collect. As the Wall StreetJournal and others attest, consumers expect their personal information to be protected and theirprivacy to be respected by the organizations they do business with. Breaching consumer expectationsor breaking their trust lands organizations on the wrong side of the privacy issue.

Today, leading businesses recognize that privacy concerns threaten the bottom line. Accordingly,addressing privacy concerns effectively is beginning to be seen as a winning strategy for both businessand consumers.

What is Privacy and Why Does It Matter?

A wide variety of interrelated values, rights, and interests come together under the rubric of privacy.For most businesses, however, the most relevant sub-set of privacy is informational privacy (alsoknown as data protection).

Information privacy is the ability of an individual to exercise a substantial degree of control over thecollection, use, and disclosure of their personal information.

Personal information includes any information about an identifiable individual. This includes informa-tion such as name, address, gender, age, ID numbers, income, ethnic origin, employee files, creditrecords or medical records. An individual’s name need not be attached to the information in order forit to qualify as personal information.

Most companies need to collect, use and disclose some information about their customers in order toconduct their business. But organizations must be reasonable and fair in their treatment of personalinformation, not only for the good of their customers, but also for the good of their own businessreputations. Consumers are no longer willing to overlook a company’s failure to protect their privacy.High profile misuses of personal information have shown that a lack of respect for personalinformation can bring both harsh criticisms from consumers, and significant devaluation of companyshares.

Introduction

2

Thanks in part to much publicized incidents, many jurisdictions have seen a wave of legislativeinitiatives, such as the European Union Directive on Data Protection and Canada’s Personal Informa-tion Protection and Electronic Documents Act. Organizations around the world are now beginningto take note of international and local regulatory initiatives that may influence how they treat customerinformation.

There is no better time than the present for organizations that handle personal information to take aclose look at their practices and bring them into line with emerging consumer expectations. In the shortterm, protecting personal information and developing consumer trust promise to become a strongcompetitive advantage. In the long term, protecting privacy will become a new business imperative.

The Privacy Diagnostic Tool (PDT): What’s In It For Me?

Organizations interested in doing business must take data privacy issues very seriously. According toa Senior Executive Panel at the May 2001, Computerworld Premier 100 Conference, even one privacyslip-up could be devastating to a company’s corporate image and brand.

Can an organization benefit from paying attention to the PDT and taking the time to use it? To helpyou and your organization decide whether or not to use the PDT, please review the followingquestions. If your organization answers yes to one or more of these questions, you will benefit fromusing the PDT. In fact, we highly recommend it.

Questions

1. Does your organization collect and use personal information in the course of your business?

2. Is the use of personal information an important part of your business (for example, as part ofmarketing, sales or Customer Relationship Management)?

3. Do you disclose your customer’s information to anyone?

4. Have you bought, sold, traded or shared personal information?

5. Is your organization potentially vulnerable to internal or external security breaches involving yourcustomers’ personal information?

6. Do you have any questions on how current or upcoming privacy regulations will affect the wayyou collect and use personal information?

If you answered yes to one or more of the above questions, you will benefit from using this PrivacyDiagnostic Tool.

3

Using the Privacy Diagnostic Tool

The PDT is a voluntary, self-administered assessment of whether and to what extent your business’sinformation management practices are privacy-friendly. Working through a series of questions, thePDT will help you to both assess and educate your organization, ensuring a better understanding ofhow to protect personal information and build consumer trust.

The PDT addresses ten principles that are key to the proper management of personal information,based on internationally recognized norms known as Fair Information Practices (FIPs). FIPs areoverlapping and cumulative principles that outline responsible information handling practices. Theycover the following areas:

• Accountability

• Identifying Purposes

• Consent

• Limiting Collection

• Limiting Use, Disclosure, Retention

• Accuracy

• Safeguards

• Openness

• Individual Access

• Challenging Compliance

The PDT outlines each principle, explains its objectives, and notes some risks that your organizationmay face if it fails to adhere to the principle.

For each principle, there is a series of questions on implementation, divided into two sections. The firstsection, Implementing the Principles, identifies and assesses your compliance with the required stepsfor implementing the principle. The second section, Best Practices, identifies and assesses yourcompliance with best practices for implementing the principle. Simply answer Yes or No to eachquestion, based upon your current business practices. If the requirement or best practice is notapplicable to your organization, answer Yes.

If you have answered No to one of the questions under the heading What You Need to Do, yourorganization is not fully adhering to that Fair Information Practice. You should review and amend yourpolicies and procedures to ensure a Yes response. If you answered No to any of the best practices,consider whether you should adopt this practice in your organization.

Introduction

4

About the Privacy Diagnostic Tool

Please note that this tool is not designed to provide a detailed privacy audit or an in-depth privacyimpact analysis. Use of this tool should be viewed as an initial gauge of one’s privacy readiness – it isintended to be complimentary to other measures you might take to protect privacy and to any measuresyou may be required to take for compliance with privacy legislation and other legal standards orindustry privacy codes applicable to your organization.

We have endeavoured to make this tool as useful as possible. However, the Information and PrivacyCommissioner/Ontario (IPC) takes no legal responsibility for the results of using this tool. Theinformation contained in this publication should not be considered legal, accounting, tax or otherprofessional advice or services. (If you need specific advice about your particular situation, you shouldalways consult a suitably qualified professional.)

The PDT has been developed by the IPC with the generous assistance of Guardent andPricewaterhouseCoopers. Any errors or omissions are the sole responsibility of the IPC.

The PDT is available free of charge to any company that wishes to examine its information managementpolicies, or to consumers who may want a tool to analyze the privacy practices of the businesses withwhich they interact. It is also designed to be completed anonymously and does not require theprovision of results or information to any of the developers.

System Requirements

The PDT is available in three formats:

Systems running Microsoft Access 2000

• Pentium-based personal computer

• Microsoft Windows 95/98/2000/NT

• Microsoft Access 2000

• 64 MB of RAM

• 3 MB of disk space

• CD-ROM drive

Systems running Microsoft Access 97



• Microsoft Access 97

• 64 MB of RAM


• CD-ROM drive

Systems not running Microsoft Access



• 64 MB of RAM


• CD-ROM drive

5

Principle 1

An organization is responsible for personal information under itscontrol and shall designate an individual or individuals who areaccountable for the organization’s compliance with establishedprivacy principles.

Accountability

ObjectivesThis principle focuses on identifying and assigning ultimate responsibilityfor compliance. Appropriate accountability will ensure effective imple-mentation, policy development, adherence, evaluation and refinementof privacy protection throughout your organization.

Your privacy policies and practices need to apply to all personalinformation in your control. Information in your control includes notonly the data in your physical custody, but also personal informationyou may have transferred to a third party, such as a contractor, for dataprocessing.

Potential Risk• Unclear accountability could lead to mismanaging customer

information (e.g., breaching customer trust, inappropriately disclosingpersonal information), which could damage to your reputation andbusiness relationships.

• Unclear accountability will make it more difficult for you to respondto customer complaints effectively, leading to customer dissatisfactionand potential loss of business.

• Unclear accountability will negatively affect a meaningful review ofyour company’s information management practices.

Principle 1 — Accountability

6

Implementing the PrincipleWhat You

Need To Do• You assign accountability for compliance with these principles to a

specific person or group of people in your company.

Yes No

• You make available the identity and contact information of the personor group of people in your organization who are accountable forcompliance with established privacy principles.

Yes No

• You develop and then implement specific privacy policies and proce-dures.

Yes No

• You use contracts and/or other measures to ensure that when thirdparties process personal information on your behalf, they maintain alevel of privacy protection comparable to your own practices.

Yes No

• You have established a complaint process to receive and respond tocomplaints and inquiries about your information management practices.

Yes No

• You train your staff and ensure that they understand, and are capableof implementing your privacy policies and practices.

Yes No

7

Best Practices

Principle 1 — Accountability

• You regularly review your privacy policies and practices with staff toensure consistent implementation.

Yes No

• You have a written policy in place outlining your responsibility forpersonal information.

Yes No

• Front-line staff are trained to handle customer inquiries regarding:

• privacy complaints;

• correction requests; and

• requests for access to personal information.

Yes No

• You have built an ongoing compliance monitoring system.

Yes No

• You have integrated your information management policies and prac-tices into new staff training.

Yes No

• You clearly mandate the responsibilities of individual staff and haveregular reviews.

Yes No

• You have specific audit and enforcement mechanisms (e.g., contracts)to ensure appropriate collection, use, and disclosure of personalinformation transferred to third parties.

Yes No

• Effective compliance with privacy principles is part of the performanceevaluation for individuals who have been designated as accountable forthe organization’s privacy policies.

Yes No

8

Principle 2 Identifying Purposes

The purpose for which personal information is collected shall beidentified by the organization at or before the time the informationis collected.

ObjectivesIdentifying the purposes for which you need personal information toconduct your business is a critical first step in defining what personalinformation you need to collect, use and disclose. Your purposesshould be reasonable in the context of your business. In addition, youmust ensure that you do not define your purposes so broadly as to makethem meaningless to the individual from whom you want to collectpersonal information.

In defining your purposes, consider the following actions:

• collection – what personal information you gather, acquire, or obtainfrom any source, including third parties, by any means, and why;

• use – how you handle and use personal information within yourcompany; and

• disclosure – when, how, and why you make personal informationavailable to third parties outside your company.

Potential Risk• Collecting more information than you need may expose your or-

ganization to greater liability and security risk.

• Failure to design processes that match the business need to collectcertain personal information could lead to the inadvertent collectionof unintended information, creating additional administration costs.

• Failure to inform customers of your purpose for collecting theirinformation may cause you to lose customers.

• Failure to identify your purposes for collecting personal informationwill make it difficult to responsibly manage the information in yourcustody.

9

Implementing the Principle

Principle 2 — Identifying Purposes

What YouNeed To Do

• You identify the legitimate purposes for collecting personalinformation at or before the time you actually collect the information.

Yes No

• You define what personal information is necessary to fulfill thepurposes identified, taking into account both primary and secondarypurposes (e.g., audit, marketing, etc.).

Yes No

• You document your purposes so that your staff and the individualsto whom the information relates understand these purposes.

Yes No

• When you want to use personal information already in your custodyfor a new purpose not identified at the time of the initial collection,you seek the consent of the individual, unless the new purpose isrequired by law.

Yes No

• You have examined opportunities for using non-identifiableinformation (i.e., coded, anonymous, pseudonymous, or aggregateddata) rather than personal information to meet your purposes.

Yes No

10

Best Practices• Your identified purposes for collecting personal information are

publicly available at the time of collection.

Yes No

• Employees collecting personal information are able to explain toindividuals the purposes for which the information is being collected.

Yes No

• You have clear procedures in place to seek informed customerconsent prior to using or disclosing personal information for newpurposes not identified at the time of collection.

Yes No

• You review the purposes for which you collect personal informationregularly, to ensure that they remain current.

Yes No

• The identified purposes for collecting personal information arecommunicated to the business areas responsible for processing andcollecting the data.

Yes No

• Staff pro-actively explain to customers what personal information iscollected and why.

Yes No

11

Principle 3 Consent

The knowledge and informed consent of the individual arerequired for the collection, use, or disclosure of personalinformation, except where exempted by law.

ObjectivesThis principle places an explicit obligation on you to obtain consentfrom individuals for the collection, use and disclosure of their data,except in limited circumstances.

This principle requires both knowledge and consent. This means thatyou should not ask for consent unless you have made a reasonable effortto inform individuals of the purposes for which you will be collecting,using and disclosing their personal information. In addition, you shouldnot use consent to attempt to override your obligations and responsibili-ties under these principles.

Consent is a voluntary agreement with what is being done or proposed.Consent can be obtained in a variety of ways, and may include bothexplicit and implied forms of consent. You should consider the sensitivityof the personal information involved when determining what methodis appropriate. As a general rule, the greater the potential harm toindividuals if their personal information is misused, the greater yourresponsibility to ensure that their consent is informed and explicit.

Potential Risk• Failure to seek consent or seeking consent in ways not appropriate to

the sensitivity of the information could erode customer trust and mayresult in a backlash; this in turn may result in loss of reputation.

• Failure to obtain consent may decrease the efficacy of some businesspractices, such as marketing, by targeting products and services touninterested parties.

• Failure to obtain consent will result in legal liabilities or sanctionswhere the obligation to seek consent is required by law or self-regulation.

• Failure to get explicit consent may contribute to customerswithdrawing their consent for future information use.

Principle 3 — Consent

12


What YouNeed to Do

• Consent is obtained for the collection, use and disclosure of personalinformation, at or before the time of collection, except where notappropriate (e.g., exchange of information with credit agency for aloan).

Yes No

• You take into account the sensitivity of the personal information whendetermining what form of consent is appropriate for the circumstances(e.g., express or implied consent; opt-in or opt-out).

Yes No

• You make a reasonable effort to advise the individual of the purposesfor which the information will be used.

Yes No

• You do not make consent to the collection, use or disclosure ofpersonal information for secondary purposes, such as marketing, acondition of the supply of your product or service.

Yes No

• You do not deceive or mislead the individual in order to obtainconsent.

Yes No

• You inform individuals that they may withdraw consent at any time,and explain the implications of their withdrawal to them.

Yes No

13

Best Practices

• You take into account the reasonable expectations of the individualwhen determining how to seek consent; for example, positive, expressconsent is sought where the information is sensitive.

Yes No

• You periodically review and update consent and withdrawal of con-sent for each individual.

Yes No

• You document the mechanism by which consent is given (e.g., over thetelephone, in writing, by e-mail, etc.).

Yes No

• You verify when, and for what reasons, consent for the collection ofpersonal information has not been obtained from an individual.

Yes No

• You review your staff’s actions in obtaining customer consent andadvising customers of their options.

Yes No

• You regularly review the customer consent process.

Yes No

• You have processes in place that ensure consent is gained beforepersonal information is disclosed within or outside your organization.

Yes No

Principle 3 — Consent

14

Principle 4 Limiting Collection

The collection of personal information shall be limited to thatwhich is necessary for the purposes identified by the organization.Information shall be collected by fair and lawful means.

ObjectivesThis principle limits the amount and type of personal information youmay collect from any source, including third parties.

You must be able to establish a clear link between the information youcollect and the purposes you have identified for collecting information.This principle requires you not to collect personal information beyondthat which is necessary to fulfil your identified purposes.

Potential Risk• Failure to limit your collection of personal information increases the

volume of data you are responsible for managing, and may exposeyour organization to increased costs and greater liability.

• The more information you collect, the greater the chances of inaccu-racy.

• Unfair or unlawful collection may expose you to charges of deceptivebusiness practices.

• Collecting more information than is necessary for your purposesmay aggravate your customers, resulting in lost business.

• If your organization collects information electronically (e.g., cookies),failure to inform your customers could lead to a backlash against yourorganization.

15


Principle 4 — Limiting Collection

What YouNeed to Do

• You limit both the type and amount of personal information youcollect to only that which is necessary for your identified purpose(s).

Yes No

• You collect personal information in a fair and lawful way, and do notdeceive or mislead individuals.

Yes No

• You do not collect personal information indiscriminately.

Yes No

• You describe what type of personal information you collect and howit will be used and disclosed.

Yes No

16

Best Practices• You communicate your collection practices clearly, avoiding highly

subjective or ambiguous phrasing that may confuse customers.

Yes No

• You restrict the amount and type of information you collect to thatwhich the individual has consented to.

Yes No

• You inform customers of their options to restrict the collection oftheir personal information, where available.

Yes No

• You seek or have sought customer feedback regarding the clarity andcomprehension of your collection practices.

Yes No

• There is a regular review of information collection and handlingpractices to ensure compliance with the restricted collection principle.

Yes No

• If you collect personal information from a third party, you ensure thethird party has gained consent from the customer for the disclosure.

Yes No

• Your organization uses opt-in consent prior to using cookies or anyother information collected electronically.

Yes No

17

Principle 5 Limiting Use, Disclosure, and

RetentionPersonal information shall not be used or disclosed for purposesother than those for which it was collected, except with theinformed consent of the individual or as required by law. Personal

information shall be

retained only as long as necessary for the fulfillment of thosepurposes.

ObjectivesYou should use or disclose personal information only for the purposesidentified to the individual at the time of collection. New uses ordisclosures are permissible only with the consent of the individual or asrequired by law.

This principle imposes

a responsibility on you to keep personal information for a minimumlength of time; either as specified in industry standards or applicablelegislation or only as long as it is needed to achieve the identifiedpurposes.

Potential Risk• Use or disclosure of personal information beyond your identified

purposes jeopardizes customer trust and may give rise to charges ofdeceptive business practices.

• Without a defined retention schedule, you run the risk of eitherretaining information for too long, thereby incurring additionalinformation management costs, or destroying information prema-turely, thereby eroding the ability of individuals to access informationabout themselves, and eroding your potential use of needed informa-tion.

Principle 5 — Limiting Use, Disclosure, and Retention

18


What YouNeed to Do

• You use and disclose personal information in your control only for thepurposes for which you collected it, unless you have obtained consent,or the use or disclosure are required by law.

Yes No

• You document your use of personal information for any new purpose(s)not initially communicated to customers when receiving their consent.

Yes No

• You retain information only as long as necessary to fulfil your identi-fied purposes (you have a policy of purging personal information fromyour databases).

Yes No

• You retain personal information used to make a decision about anindividual long enough to allow the individual to access that data andchallenge its accuracy.

Yes No

• You have procedures in place to govern the secure destruction ofpersonal information.

Yes No

19

Best Practices

Principle 5 — Limiting Use, Disclosure, and Retention

• You only use and disclose personal information for purposes identifiedat the time of collection.

Yes No

• You have defined limited and specific exceptions for when you will useor disclose information for reasons other than those identified at thetime of collection.

Yes No

• You have both policy and technical restraints in place to limit your useand disclosure of personal information to your identified purposes.

Yes No

• You communicate the limitations on use and disclosure of personalinformation to all pertinent staff.

Yes No

• You monitor your procedures, legal contracts, policies, and technicalcontrols regularly to ensure appropriate restrictions on the use anddisclosure of personal information are in place.

Yes No

• You disclose personal information to third parties only for purposesidentified at the time of collection.

Yes No

• Your data retention practices include specific retention procedures, aswell as minimum and maximum retention periods.

Yes No

20

• You have a clear timetable for retaining and disposing of personalinformation.

Yes No

• You communicate your practices regarding use, disclosure, andretention, to the business functions responsible for retaining personalinformation.

Yes No

• You retain personal information only for the purposes for which youhave collected it, except when required by law.

Yes No

• Personal information that is no longer required to fulfill the identifiedpurposes is destroyed, erased, or rendered anonymous.

Yes No

• You inform individuals of your retention periods and what youintend to do with the information after the maximum retentionperiods are reached.

Yes No

• You update personal information only as appropriate.

Yes No

21

Principle 6

Principle 6 — Accuracy

Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

ObjectivesYour business need for accurate personal information will vary accord-ing to the purposes for which you collect, use, and disclose it.

As a general rule, if you use or disclose personal information on anon-going basis, you should make sure it is accurate. For some purposes,however, you may not require information that is current and up todate. In these cases, you should limit your efforts to update personalinformation to only what is necessary.

When determining the necessary degree of accuracy, completeness andtimeliness of data, you need to consider the requirements of youridentified purpose and whether the individual might be harmed by youruse or disclosure of inaccurate information.

Potential Risk• Use of inaccurate information to make decisions about customers can

lead to lost profits and market share.

• Inaccurate information may harm the customer, and jeopardizecustomer relations.

• Failure to identify inaccurate information may lead to businessdecisions being made on the basis of incorrect, and possibly mislead-ing, information.

• Failure to identify the appropriate need for current and up to dateinformation may lead to unnecessary updates, resulting in wastedresources and customer annoyance.

22


What YouNeed to Do

• You keep the personal information in your control only as accurate,complete and up-to-date as necessary for the identified purposes.

Yes No

• You take into account the interests of the individual when determininghow accurate, complete and up-to-date personal information in yourcustody needs to be.

Yes No

• You ensure that personal information is sufficiently accurate tominimize the chances of inappropriate data being used when makingdecisions about individuals.

Yes No

Best Practices• Your practice defines when updates are appropriate, based on your

purposes and the interests of your customers.

Yes No

• Any limits to the requirement for accuracy are clearly set out.

Yes No

• You have procedures to verify and correct personal information.

Yes No

• You inform individuals of how to access and correct the personalinformation in your custody.

Yes No

• You conduct periodic assessments of accuracy in your databases.

Yes No

23

Principle 7

Principle 7 — Safeguards

Safeguards

Personal information shall be protected by security safeguardsappropriate to the sensitivity of the information.

ObjectivesYour security safeguards, both electronic and physical, should be appro-priate and proportional to the sensitivity of the personal informationinvolved. The more sensitive personal information is, the more securityis required.

While some types of personal information (e.g., medical or financialdata) are generally considered sensitive, other types of information maybe sensitive depending upon the context.

In determining the level of sensitivity, consider how much personalinformation could be revealed if accessed by unauthorized parties, aswell as the potential harm to the individual if the data is misused ordisclosed in an unauthorized manner. The greater the potential harm,the greater your security requirement.

Potential Risk• Without appropriate security measures, unauthorized parties (both

within and outside your company) may be able to access, use, copy,disclose, alter, and destroy the personal information in your custody,which you are responsible for protecting. Such action could createsignificant harm to the individual to whom the data relates, as well aspotential liability for your company.

• Without appropriate access control mechanisms, unauthorized indi-viduals may access personal information for unauthorized purposes.

• Without appropriate audit trails for access to personal information,security breaches may not be detected and remedied.

24


What YouNeed to Do

• You implement security safeguards to protect personal information inyour control against loss or theft, and unauthorized access, disclosure,copying, use, or modification.

Yes No

• Your security safeguards are appropriate and proportional to thesensitivity of the personal information in your custody.

Yes No

• You protect all personal information in your control, regardless of itsformat.

Yes No

• You make your staff aware of the importance of maintaining theconfidentiality of personal information in your control.

Yes No

• You dispose of or destroy personal information in a way that preventsunauthorized parties from gaining access to it.

Yes No

25

• Your premises are conducive to keeping client/employee informationprivate and confidential.

Yes No

• Third party monitoring and audit of security systems are conducted ona regular basis.

Yes No

• You communicate your security safeguards regarding access, use,disclosure, and disposal of personal information to all relevant staff.

Yes No

• You document misuses of personal information and notify affectedcustomers.

Yes No

• You have an information security policy that includes specific require-ments for the identification and authorization of personnel with accessto personal information.

Yes No

• All personnel have unique identifiers, which are used to access personalinformation.

Yes No

• All personnel are authenticated (for example, by the use of a password)in order to gain access to personal information, using an authenticationmechanism commensurate with the scope of access, and the sensitivityof the information.

Yes No

Principle 7 — Safeguards

Best Practices

26

• You have an information security policy that includes specific re-quirements for maintaining the confidentiality of personal information.

Yes No

• You transmit personal information over secure channels and/orencrypt any transmissions over open channels.

Yes No

• You physically secure paper records containing personal information.

Yes No

• You have an information security policy which includes specificrequirements for the creation of audit trails for all informationsystems that process personal information and for the active monitor-ing of all information systems that process personal information.

Yes No

• Intrusion detection systems (host or network based) are implementedfor all information systems that contain personal information.

Yes No

• Procedures have been defined for the monitoring of intrusion detec-tion systems, and for responding to any alerts that are generated.

Yes No

27

Principle 8 Openness

An organization shall make readily available to individualsspecific information about its policies and practices relating to themanagement of personal information.

Principle 8 — Openness

ObjectivesThis principle places an obligation on you to be open and transparent inyour information management practices. In doing so, this principleensures that your accountability for personal information is effectivelyimplemented and that individuals can obtain the information they needin order to make informed decisions about their business relationshipwith you. Openness and transparency are essential components ofcustomer trust.

The information you make available about your policies and practicesmust include the name (or title) and address of the person who isaccountable for them, and to whom individuals may direct their com-plaints or inquiries.

In addition you must make available a description of the following:

• how individuals can get access to personal information in yourcontrol;

• the type of personal information you hold;

• how you use personal information; and

• what personal information you make available to related organizations.

Finally, you must make publicly available a copy of any brochures orother documented information explaining your privacy and informationmanagement policies, practices, standards, or codes.

28

• Inaccessibility to an organization’s privacy program prevents individualsfrom gaining an understanding of how an organization handles andprotects their personal information, and may undermine the ability toobtain informed consent.

• Without openness you sacrifice customer trust and confidence andundermine your customer relations management.

Potential Risk


What YouNeed to Do

• You are open about your policies and practices with respect to themanagement of personal information.

Yes No

• You make available details on the type of personal information youhold, how it is used and disclosed, and how to access it.

Yes No

• You enable individuals to obtain information about your policies andpractices without an unreasonable effort.

Yes No

• You make that information available in a format that is generallyunderstandable.

Yes No

29

• You make information on your policies and practices available in avariety of ways, depending on the nature of your business (e.g., throughbrochures, online access, or a toll-free telephone number).

Yes No

• A description of your privacy program is included in all third partypartner agreements and contracts.

Yes No

• You explain the use of any non-visible tracking tools such as clickstream data, and clear GIF files (Web Bugs).

Yes No

• Your employees understand and commit to complying with yourorganization’s privacy program.

Yes No

• You communicate your compliance with your privacy policies andpractices through appropriate means (e.g., professional memberships,privacy seals, publication of notices of non-compliance).

Yes No

Best Practices

Principle 8 — Openness

30

Principle 9

Upon request, an individual shall be informed of the existence,use, and disclosure of his or her personal information and shallbe given access to that information. An individual shall be ableto challenge the accuracy and completeness of the informationand have it amended as appropriate.

Individual Access

ObjectivesIn order for individuals to be able to make informed decisions abouttheir business relationship with you, and to effectively exercise somecontrol over their personal information, they must be able to accesspersonal information about themselves. Equally as important, theymust also be able to correct inaccurate or incomplete information.

It may not always be appropriate or possible for you to provide accessto all the personal information you have. Nevertheless, you have aresponsibility to provide as much access as is reasonably possible. Yourreasons for not allowing an individual to access their personal informa-tion should be limited, specific, reasonable, and justified. Where you areunable to provide full access, you should provide an explanation for thedenial to the individual.

This principle places a responsibility on you to facilitate individuals’right of access and correction, on request.

Potential Risk• Failure to provide customer access may result in inaccurate data.

• Failure to consider customer access in the design of informationmanagement systems may result in substantial subsequent costs.

• Ignoring a customer’s right to challenge your organization’scompliance will escalate privacy complaints and make them far morecostly to resolve.

31


• Upon request, you tell individuals if you have personal informationabout them and provide access to that data, except in limited circum-stances.

Yes No

• You tell individuals how their personal information is being used, andto whom it has been disclosed.

Yes No

• You respond to an individual’s request for access in a reasonable time,and at minimal, or preferably no, cost.

Yes No

• You provide the requested information to the individual in a formatthat is generally understandable, along with any explanation neededto facilitate the individual’s understanding.

Yes No

• You enable the individual to challenge the accuracy and completenessof personal information in your control, and amend it as appropriate.

Yes No

• You attach a statement of disagreement to records where you cannotagree to the requested amendment.

Yes No

What YouNeed to Do

Principle 9 — Individual Access

32

• You authenticate the identity of the individual making a request forpersonal information.

Yes No

• You provide individuals with a list of organizations to which youmay have disclosed their personal information, if you cannot givethem a list of the actual disclosures.

Yes No

• You send the corrected data, or the statement of disagreement, tothird parties who have previously accessed the personal informationin question, as appropriate.

Yes No

Best Practices

33

An individual shall be able to address a challenge concerningcompliance with the above principles to the designated individualor individuals accountable for the organization’s compliance.

Principle 10

Principle 10 — Challenging Compliance

Challenging Compliance

ObjectivesThis principle addresses an individual’s right to challenge your compli-ance with these privacy principles, and with your stated privacy policiesand practices. It makes you responsible for enabling the individual toeffectively exercise that right. The purpose is not only to enhance youraccountability, but also to empower the individual.

Potential Risk• Without an effective process to challenge compliance, individuals

will be unable to evaluate your privacy program and your handling oftheir personal information.

• Failure to provide this component of customer service could result incustomer dissatisfaction and loss of business.

• Without a process to challenge compliance, you risk losing theopportunity to improve your business practices.

34

• You have procedures to receive and respond to complaints or inquiriesabout your handling of personal information.

Yes No

• You explain your inquiry and complaint procedures to individuals.

Yes No

• You investigate all complaints.

Yes No

• You take appropriate measures to rectify the situation, if you find acomplaint to be justified.

Yes No

• You change your information management policies and practices, ifnecessary.

Yes No


What YouNeed to Do

Best Practices• Your compliance process is easily accessible and simple to use.

Yes No

• Your staff responds to public enquiries in a fair, accurate and timelymanner.

Yes No

• Complaint and dispute resolution processes are regularly monitoredfor effectiveness, fairness, impartiality, confidentiality, ease of use, andtimeliness.

Yes No

35

Glossary of Terms

Access(Individual Access)

Upon request, an individual shall be informed of the existence, use, anddisclosure of his/her personal information and shall be given access to thatinformation.

An individual shall have the right to challenge the accuracy and complete-ness of the information and have it amended as is appropriate.

Accountability An organization is responsible for personal information under its controland shall designate individual(s) who are accountable for the organiza-tion’s compliance with the Fair Information Practice principles andapplicable legislation.

Accuracy Personal information shall be as accurate, complete, and up-to-date as isnecessary for the purposes for which it is collected.

Personal information shall be updated only when necessary to fulfill thepurposes for which it was collected.

ChallengingCompliance

An individual shall be able to address a challenge concerning compliancewith the above principles to the designated individual(s) accountable forthe organization’s compliance.

Glossary of Terms

Consent There must be voluntary agreement of the data subject to the collection,use, and disclosure of his/her personal information. This consent may beeither express or implied, and should include an explanation as to theimplications of withdrawing consent.

Express consent is given explicitly and unambiguously, either verbally orin writing. It is unequivocal and does not require any inference on the partof the organization seeking consent.

Implied consent is given when the action/inaction of an individualreasonably infers this consent.

Consent should never be a condition for supplying a product or service,unless the information requested is required to fulfill an explicitly speci-fied and legitimate purpose.

36

Disclosure occurs when personal information is made available to otherareas within an organization for which the information was not originallycollected, or to others outside the organization.

Disclosure

Purposes, which include why information is being collected and how itwill be used, shall be identified by the organization at or before the timeof collection.

The reason for collecting information should be documented. Theindividual from whom the information is collected should be informed asto why this information is required.

The collection of personal information must be limited to that which isnecessary for the purposes identified by the organization.

Information shall be collected by fair and lawful means. The type andamount of information collected should be limited to that which isnecessary for the purposes identified.

Staff members must be able to explain the reason for collecting informa-tion.

Limiting Use,Disclosure, Retention

Personal information shall not be used or disclosed for purposes otherthan for which it was collected, except with the consent of the individualor as required by law.

Any new use for personal information must be identified. Consent mustbe obtained from an individual before the information is used for thepurpose identified.

Personal information shall only be retained as long as is necessary for thefulfillment of the purposes identified. Maximum and minimum retentionperiods, which take into account any legal requirements or restrictionsand redress mechanisms, should be instituted.

Information without a specific purpose or that no longer fulfils itsintended purpose shall be disposed of in a manner that prevents improperaccess, such as the shredding of paper files or deletion of electronicrecords.

Policies outlining the type and frequency of updates to informationshould be established.

Identify the purpose

Limiting Collection

37

An organization shall make specific information about its policies andpractices relating to the management of personal information readilyavailable to individuals, in a manner that is easy to understand. Custom-ers, clients, and employees shall be informed of these policies.

Glossary of Terms

PersonalInformation

Personal information is any factual or subjective information, recorded ornot, regarding an identifiable individual. Examples include name, age,identification numbers, income, ethnic origin, blood type, opinions,evaluations, comments, social status, disciplinary actions, employee files,credit or loan records, medical records, or the existence of a disputebetween a consumer and a merchant.

PersonallyIdentifiable

Information

Personally identifiable information is any data that uniquely links anindividual to other piece(s) of data. Examples include PINs (personalidentification numbers), access cards, passwords, retinal and fingerprintscans, and e-mail or IP addresses. This type of information should betreated in the same manner as personal information collected in an‘offline’ environment.

Privacy Privacy is the fundamental right of an individual to decide about theprocessing of his/her personal data as well as to protect his/her intimatesphere. Privacy violations include:

• improper acquisition of personal information, including its access,collection, and distribution;

• improper use of information, including its use for reasons other thanfor which it was explicitly collected or its transfer to other parties;

• unwanted solicitation of personal data; and

• improper storage of information.

Openness

RetentionPeriod

A retention period is the duration of time personal information is held.Personal information should not be held for longer than is necessary tofulfill the purpose for which it was collected, but must be retained longenough to allow individuals to access it if it has formed the basis of adecision that affects them.

38

Personal information shall be protected by security safeguards appropriateto the sensitivity of the information.

Safeguards

Use Use refers to the treatment and handling of personal information withinan organization.

39

Related Privacy LinksFor additional information and resources on privacy and related issues, refer to the Web sites listedbelow. These sites represent a sample of international perspectives, and contain additional links to awealth of privacy information.

• Office of the Information and Privacy Commissioner/Ontariohttp://www.ipc.on.ca

• Privacy Commissioner of Canadahttp://www.privcom.gc.ca

• Federal Trade Commission (United States of America)http://www.ftc.gov

• International Virtual Privacy Officehttp://www.privacyservice.org

• OECD – Information Security and Privacyhttp://www.oecd.org/EN/newsevents/0,,EN-newsevents-40-nodirectorate-no-no-no-13,00.html

• Australian Privacy Commissionerhttp://www.privacy.gov.au

Related Privacy Links


2 Bloor Street East, Suite 1400Toronto, Ontario M4W 1A8

416-326-33331-800-387-0073

Fax: 416-325-9195TTY (Teletypewriter): 416-325-1539

Website: www.ipc.on.ca

GUARDENT Inc.75 Third Avenue

Waltham, MA 02451781-577-6500

Fax: 781-577-6600Website: www.guardent.com

PricewaterhouseCoopersGlobal Risk Management Solutions

145 King Street WestToronto, Ontario M5H 1V8

416-814-5729Fax: 416-814-5777

E-mail: [email protected]